From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: nicolas@eisfunke.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b00e8fcb for ; Fri, 10 Aug 2018 14:30:58 +0000 (UTC) Received: from mx2.mailbox.org (mx2.mailbox.org [80.241.60.215]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 31b14fe9 for ; Fri, 10 Aug 2018 14:30:58 +0000 (UTC) From: Eisfunke To: wireguard@lists.zx2c4.com Subject: Re: Reflections on WireGuard Design Goals Date: Fri, 10 Aug 2018 16:42:15 +0200 Message-ID: <1898878.xtpBxs3Iqk@miranda> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Cc: Brian Candler List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hello together, > In the absence of that, it would be nice if the private key which is > stored on the laptop were encrypted with a passphrase. Simplest option > may be to extend wg-quick so that the entire config file can be > pgp-encrypted. one can already do that via the wg-quick PostUp hook, check out the Arch Linux wiki: https://wiki.archlinux.org/index.php/ WireGuard#Store_private_keys_in_encrypted_form The example is using pass, switching it for direct GPG (or keepassxc or anything, really) should be easily possible. Considering that possibility, I don't think adding GnuPG directly into Wireguard would be a good idea. It would just add complexity for little to no benefit. Greetings, NIcolas Lenz